Photopost site hacked

[pistebasher]

Yesterday my host performed an emergency shutdown of my site because a large number of malicious php files had appeared in my Data directories. Here is a list of the files :-

data/588/date.php
data/588/thumbs/configs.php
data/588/mini/include.php
data/588/medium/guest.php
data/552/system.php
data/552/thumbs/include.php
data/552/mini/date.php
data/552/medium/configs.php
data/546/properties.php
data/546/thumbs/report.php
data/546/mini/time.php
data/546/medium/includes.php
data/595/finfo.php
data/595/thumbs/options.php
data/595/mini/common.php
data/595/medium/properties.php
data/554/finfo.php
data/554/thumbs/options.php
data/554/mini/common.php
data/554/medium/properties.php
data/560/time.php
data/560/thumbs/includes.php
data/560/mini/report.php
data/560/medium/messages.php
data/include.php
data/566/layout.php
data/566/thumbs/date.php
data/566/mini/system.php
data/566/medium/include.php
data/572/commands.php
data/572/thumbs/system.php
data/572/mini/layout.php
data/572/medium/date.php
data/541/guest.php
data/541/thumbs/remote.php
data/541/mini/base.php
data/541/medium/links.php
data/592/tests.php
data/592/thumbs/commands.php
data/592/mini/contacts.php
data/592/medium/layout.php
data/565/options.php
data/565/thumbs/time.php
data/565/mini/properties.php
data/565/medium/report.php
data/574/report.php
data/574/thumbs/messages.php
data/574/mini/includes.php
data/574/medium/create.php
data/575/contacts.php
data/575/thumbs/layout.php
data/575/mini/commands.php
data/575/medium/system.php
data/576/tests.php

I have deleted the suspect files and my site is now up but how to stop this happening again? Site is running standalone 7.1, all latest files.

[Chuck S]

You would need to find out where the malicious thing is happening. The files are appearing in the data directory because it is 777 permissions so I assume whatever attack is happening is scanning your server folders for directories to try and place files in.

If your integrated with vb then vb mods are the number one cause of this.

[Trews]

Quote:

Originally Posted by Chuck S

If your integrated with vb then vb mods are the number one cause of this.

Please, explaine/explicate!

[pistebasher]

My data directories are 755 as per my host's policy, and it's a standalone, no integration, no mods. I'm assuming that the malicious files were uploaded somehow since they appeared in the data directories, but I haven't figured out how as yet.

[pistebasher]

These are my allowable file types :

.mpeg,.mpg,.avi,.asf,.wmv,.mov,.wav,.mp3,.divx,.pdf

.jpg,.jpeg,.png,.gif,.bmp

and the Flash uploader is on.

[pistebasher]

I had this .htaccess file in the data directory:

Options -MultiViews
ErrorDocument 404 //the_zone/data/include.php

That doesn't appear in the current build as far as I can see, maybe a relic from previous versions? I've removed it anyway, doesn't seem to have affected anything. Could that have been a problem?

[Chuck S]

You can not upload a php file through our application nor would they appear in every last directory the same files over and over. Over the years here I know you have a vbulletin mod which has a security issue and causing files to be uploaded to any directory it can find on the server which is uploadable to. Like years ago Michael had the same exact issue you had and he researched his issue and found it was some flashchat mod he was using on his site for vbulletin.

Basically you need to find out where your security hole is. We know its not Photopost. We typecast all variables for security and there is even code in our application that only allows image files to be uploaded so you can not rename some php file to an image name and upload or even upload a straight php file. You can try and see what I mean.

There is one common denominator with the few people who have reported this issue over the years. They all run vbulletin and they all have various vbulletin mods installed.

[pistebasher]

Sorry Chuck, but I do not run vbulletin and never have done. Must be mixing me up with someone else! I'm just trying to understand how these files could get onto my site, not apportioning blame here

[Chuck S]

Well I did not say you had vbulletin only guessing here since those are the only reports we have had and I am suming up what was found out. I did not see a site link above so I can not tailor any response specifically to your site.

Anyway to sum up what I have already said. The type of attack that I have seen over the years is this. A suspect program that has a security flaw allows a user to get in and scan your site folders for folders that are writable and they drop in specific files that can assist them in trying to get full access. You will find these types of files in any directory on your server that is writable to it.

Aside from that without lots more info I can not say more than that. Do you have any of these files? Have you checked your other directories?

[pistebasher]

I've checked and can't find any suspect files in any directories, so will have to hope it doesn't happen again. Meanwhile I've posted a question in the "How do I" section.

[Chuck S]

Okay no problem